Equifax is committed to being an industry leader in security. That's why we've undergone a multi-year transformation of our cybersecurity capabilities, backed by a US$1.5 billion investment in security and technology.
The New Equifax embeds security into everything we do – from our technology infrastructure, data fabric, and product development, to our merger and acquisition strategies, employee training, and to our incentive compensation plans.
We have overhauled our security controls, completed rigorous certifications of our program, and shared lessons learned with our customers and partners. In multiple independent ratings, our security capabilities now exceed every major industry benchmark.
Security has become a point of strength and a competitive advantage at Equifax.
To learn more about these efforts, read our Security Annual Report.
-
Equifax's Philosophy Towards Security
Equifax's approach to Security can be broken down into four C's:
Culture
Security is built into the DNA of our company. We continuously reinforce our security-first culture by ensuring that all employees understand their role in protecting data and systems as well as the importance of treating security as personal priority.
Tone at the Top
The tone for our security program comes from the top, with our Board of Directors actively engaged in the oversight of our security program and every employee and Board member receiving annual security training. The Equifax Board includes Directors with cybersecurity expertise. Additionally, robust security reviews are integrated in M&A due diligence and integration as well as our capital allocation processes.
Aligned Incentives
All bonus-eligible employees have a security performance measure included in the calculation of their annual incentive compensation, underscoring the vital role that security plays in our business. Throughout the year, every employee receives a monthly security scorecard so that they can keep track of and improve their security performance.
Shared Responsibility
We train 100% of our Board of Directors, leaders, and employees in security at least annually. Our training is developed to meet the specific needs of our business and includes role-based training, ongoing campaigns to combat phishing, and customized feedback to aid learning. We also conduct tabletop exercises and real-time simulations to ensure that the Board, company leaders, and employees are ready to respond effectively in the event of a crisis.
Controls
We employ a defense-in-depth approach with multiple layers of controls designed to prevent or limit the success of an attack. Our controls work in concert so no control is viewed in isolation.
Built In, Not Bolted On
Security is embedded in our development cycles. Tools and processes like security advisements, automatic code scanning, and penetration testing are integrated into our development pipeline and improve the security of the data, systems, and products that our customers and consumers use. Additionally, we have built out a library of patterns and stamps -- reusable, security-approved building blocks that developers customize and deploy, ensuring standard configurations are applied to all environments and applications.
Controlled Access
We have applied a "least privilege" approach to Identity and Access Management in which no employee has any more access than what is absolutely required for his or her job. We have multi-factor authentication (MFA) for 100% of our remote network access, including our privileged assets that hold our most sensitive information. We also implemented an access management tool that provides security professionals with a one-time, real-time password to access certain programs. By controlling access to our data environments, we provide the right access to the right people at the right time.
Detection and Response
The migration of our data and assets to the cloud gives us stronger visibility into the data that is coming in and out of our environment in real- time. We have enhanced our top-tier cloud security to include automated validation and monitoring. In addition, our team instituted a behavior analytics platform powered by artificial intelligence designed to detect insider threats.
Compliance
We strive to exceed the expectations of the people, businesses, and government agencies that count on us. We have fielded thousands of customer assessments, regained all of our PCI/ISO/SOC 1&2 and FISMA certifications, and successfully managed and matured our compliance governance processes.
Built on a Strong Foundation
Our security and privacy controls are aligned with frameworks developed by the National Institute of Standards and Technology (NIST). We have adopted the Cybersecurity Framework (NIST CSF) which integrates industry standards and best practices for cybersecurity, and in 2020, we became an early adopter of the Privacy Framework (NIST PF). Five core capabilities – cybersecurity, privacy, fraud prevention, crisis management, and physical security – are now represented in our company's unified controls framework and comprehensive security program.
Focused on Risk
Our approach to managing cyber risk is visible, thoughtful, and prioritized. Prioritizing based on risk (instead of taking a "one size fits all" approach) means that we focus our attention and our resources on the highest-risks in our organization and apply fit-for-purpose controls to defend against those risks. This approach is integral to our overall Enterprise Risk Management program and aligned with the other types of risk we face.
Third-Party Validation
We utilize leading third-parties to assess how well our organization can adapt to cyber threats and manage risk over time (Security Maturity) as well as our readiness and ability to identify, respond to, and recover from security threats and risks (Security Posture).
Customers
Maintaining the trust of our customers is essential. That's why we're leveraging our security investments and expertise to help our customers and consumers become more cyber resilient.
Sharing Lessons Learned
Following the cyber attack on our company in 2017, we made a commitment to helping others avoid the same fate. That's why we actively participate in global forums to promote stronger cybersecurity for business, government, and society; partner with law enforcement to combat fraud, identity theft, and identify criminal activity; and collaborate with organizations to advance new ideas and solutions in cybersecurity.
Becoming Cyber Resilient
A vital part of our security transformation is leveraging our investments and expertise to help our customers become more cyber resilient. Of note, we developed CloudControl, a platform that strengthens our customer's digital supply chain and gives customers real-time visibility into the security of their Equifax cloud products. We are also combining advanced analytics and intelligent data orchestration to help businesses verify the identity of consumers and prevent fraud with pinpoint accuracy.
Advancing Transparency
Transparency is our standard. We've chosen this approach because security shouldn't be a trade secret. Our company's security and privacy leaders have hosted several Customer Security Summits in the U.S., Canada, U.K., and Australia, in order to have direct conversations about the evolution of our security program and important topics in cybersecurity sucs as access managment, incident response, cloud security, data protection and privacy.
-
What Are Phishing and Smishing?
Phishing and smishing are common strategies used by online scammers to steal personal and financial information. If you're one of the billions who regularly use email, text and other virtual messaging platforms, it's vital to understand and recognize signs of potential phishing and smishing attacks.
What is phishing?
Phishing messages are fraudulent messages used by scammers to trick you into clicking a link or opening an attachment that will provide them access to your information or download malware onto your computer.
Phishing messages may look legitimate. They may come in the form of a communication that seems to be from your bank, credit card company, a company you do business with or even your employer. Others may seem to come from a familiar social networking site, an online store or an online payment website or app.
These messages may tell you there's a problem with your account or payment information, or that some suspicious activity or login attempts have taken place. They may also include a fake invoice or ask you to update or confirm personal information.
The goal of phishing is to get you to take the bait, whether that's logging in to your account directly from the message (giving hackers access to your password), clicking on a link or opening an attachment.
How to recognize phishing
While some phishing messages may obviously come from strangers, others may appear to come from an organization you know and trust. Look closely at any messages you receive and ask yourself the following:
• Do you have an account with the business that's contacting you? If so, does the email address match the address associated with your account? Did you sign up to receive email discounts from this company?
• If the message claims to be from an individual, do you know this person?
• Does the message address you by name?
• Did the email come to your junk or spam folder?
• If you hover over the sender's email address and any links in the message, where do they lead and do they look legitimate?
• If there are attachments, did they come from a trusted contact and do you know what they are?
• Are there misspellings and awkward grammar throughout the message?
• Are you being asked for a payment you aren't sure you owe?
• Are you being threatened with lawsuits and penalties if you don't immediately take action?Don't click on any links or attachments in messages if you can't verify they are legitimate. Even if the sender claims to be from a company you know and do business with, do not click on a link in the email to log in to your account; instead, go to the company's website to log in.
It's also important to know that most financial institutions and government agencies will not request personal information through emails, texts or other types of messages.
How to help protect yourself from phishing emails
Your spam or junk mail filters may keep some phishing messages out of your inbox, but as scammers and hackers constantly try to get past those filters, you might consider some other ways to help protect yourself.
These might include:
• Use security software. Install security and anti-virus software on your computer or mobile phone and set it to update automatically as new threats arise.
• Enable multi-factor authentication. This extra step, which typically requires you to enter a one-time code sent via text or email, makes it harder for scammers to access your accounts, even if they have your username and password.
• Backup your data. In the event of a phishing attack, your data can be destroyed or encrypted. Use an external hard drive, a USB drive or cloud storage to back up your device so that you can safely recover your files.Help! I've been phished!
If you clicked on a suspicious link or attachment and are worried about potential phishing, here are some steps you can take:
• Disconnect your device from the internet as quickly as possible. This may help reduce the risk of malware spreading to other connected devices and may prevent a hacker from remotely accessing your device.
• Scan your device with antivirus or security software. You may be able to run the scan, even if you aren't connected to the internet.
• Update your passwords. If you entered any personal information, such as a password, use an uncompromised device to change that password on any affected accounts.
• Alert any relevant accounts of the breach. If you entered a credit card or bank account number, contact your credit card company or financial institution.
• Contact the ACCC's ScamWatch to report the Scam
• Contact IDCare, a government support not-for-profit organization that assists those affected by identity theft.You might also want to consider placing a fraud alert or security freeze on your credit reports with Equifax.
How to report phishing emails
If you receive a phishing email or text message, you can report it and help fight phishing. The ACCC's ScamWatch allows you to report potential scams and also contains information about historical and current scam campaigns that it has been alerted to.
What is smishing?
While phishing typically refers to email scams, smishing refers specifically to deceptive text messages.
Smishing scams involve contact from an unknown number, often claiming to be from a reputable business. These messages may contain a link that attempts to bait you into clicking it and entering sensitive personal information, such as login details for a secure account or other personal data.
Smishers may try to sell the information they gather from you to other scammers, or entice you to download malware onto your smart device.
How to identify a smishing attack
Smishing has become prevalent as people increasingly use their mobile phones for text messaging and other services like mobile shopping and banking. Since smishing is still relatively new compared to email scams, it catches many mobile users off guard.
Here are a few warning signs that can help you identify a smishing attack:
• The message asks you to click a link to verify personal information.
• The message asks you to provide your personal information by calling or texting the number.
• The message claims to be from a government agency. According to the Federal Communications Commission (FCC), government bodies almost never initiate contact via phone or text. If they do provide text notifications or updates, they need your permission first, which typically requires you to sign up by entering your phone number on the official government website.What do you do if you suspect a text message might be a smishing scam?
Smishing texts are often disguised as fraud alerts or undelivered package notifications. For example, you may receive a text from an unknown number saying that a package could not be delivered. Or, some text messages say that you have a large purchase or suspicious payment on your bank account. Since many banks and package delivery services now provide text notifications, here's how you can identify potentially fraudulent messages:
• You did not make a recent purchase or request a package to be delivered. If a text message claims that your package has not been delivered or your bank is notifying you of some sort of fraud, check your order history and your bank accounts immediately. Since you need to sign up to receive text notifications from legitimate companies, you can validate any suspicious texts by confirming the contact information of the company the text is claiming to come from.
• The text is coming from an unknown number. Legitimate companies typically send text notifications from only one number. If you are signed up for text notifications from your bank and you receive a message from a different number, check with your bank to confirm their contact information before responding to any message.
• The text redirects you to a new link or asks you to call the number. Smishing scams often entice you to click on a link or call the number. That's when scammers can manipulate you into sharing your information.To avoid a smishing attack and lower potential risk:
• Never click on a link or respond with your financial or personal information.
• If you aren't sure whether the number is legitimate, independently verify the company's contact information via a simple web search.
• Don't respond to a suspicious message with 'STOP' or 'No' to avoid future text messages; it is safer to delete the message entirely rather than engage with a potential scammer.
• You can then block the number to avoid future attempts at contacting you.
• You should also report any potential smishing scams to the ACCC's Scamwatch -
Cyber Security Checklist
It can seem harder than ever to keep up with – and stay ahead of – the threats posed by hackers and fraudsters online, particularly as their tactics keep changing.
While it may not be possible to make your information and data completely hack- or theft-proof, protecting it as best you can may make you a less likely target. It's a perfect time to dedicate a few hours to your personal cybersecurity.
Cybersecurity checklist
Here is a checklist you can use to conduct your own cybersecurity checkup:
Is your computer up to date?
Whether you use a desktop, a laptop or both, make sure your browser, operating system and software is updated, so you can receive any patches or security updates released. This can help protect you against malware.
Is your mobile device secure?
Ensure your phone is protected by a passcode, or that you use a fingerprint or facial recognition to unlock it. If your phone is set up to connect to any available public WiFi network, turn this feature off to avoid connecting to any unsecure networks that may put your personal information at risk. If you frequently must use public WiFi, consider using a Virtual Private Network (VPN).
And if you're charging your mobile device in a public place, don't plug your phone's USB cable into unfamiliar ports; use your own port and cable and plug it into a power outlet. If a port or cable is hacked or compromised, the data on your phone could be stolen.
Are you suspicious of unsolicited emails or texts?
It can be hard to recognize phishing emails or text messages. A best practice is to avoid clicking on links or attachments in emails you aren't sure about. If the sender is someone you know, verify with them that the email is legitimate before clicking on it – their account could have been hacked. Don't send any personal information over email or text.
Let's talk passwords.
It's hard to keep up with passwords on multiple web sites. That's why it's common for people to reuse or repeat usernames or passwords. But it's risky – if one of your accounts is compromised, others using those credentials could also be accessed. Consider using a password manager that creates unique passwords and stores them securely. You also may want to think about enabling two-factor authentication when possible. This adds an extra layer of security and requires you to take an extra step (such as entering a code texted to you) in order to log in.
Are your social media habits putting you at risk for identity theft?
Check the privacy settings on your social media accounts to make sure you're comfortable with them. You can also set up login notifications that will let you know if someone else logs into your accounts. Be cautious about what you share and who can see it; your publicly available information could be used to find answers to security questions or learn your routines and location.
What about your apps?
Check the privacy permissions on your apps and only grant those that are needed. Apps that can access your photos, location, camera and contacts, for instance, can allow the app owner to access your information. Only download apps from the Apple App Store® or Google Play™ and avoid those from third-party app stores. Also avoid apps that pop up and ask you to download them, as they could contain malware.
Cybersecurity awareness may seem unnecessary, but the time you put in may help protect you from hackers and fraudsters, who can create a mess that may take much more time to unravel.
-
How to Report a Scam
If you fall victim to a scam or believe that you have been targeted, report it as soon as possible to protect yourself as well as others. The best way to do this is via the ACCC's ScamWatch.
If a scam has resulted in the transfer of personal information, money or other goods: please report the incident to the ACSC's ReportCyber. This site is set up specifically to deal with CyberCrime and can assist with next steps.
Both of these sites are run and funded by the Australian government and coordinate with businesses and governments internationally.
-
Password Safety: Are Yours Secure Enough?
Most of us have seen the message pop up more than once: 'your password needs to be at least 8 characters long,' or something similar.
It might make you roll your eyes, but remember: passwords need to be strong in order to help secure your personal information -- including emails and files.
Most people know the risks of flimsy passwords. But even knowing the risks hasn't necessarily changed our behavior. In 2018, for the fifth consecutive year, '123456' and 'password' topped the list of the worst passwords of the year. Unfortunately, passwords continue to be one of the most common ways hackers break into computers and personal data.
By guessing passwords, hackers can give themselves an all-access pass to your financial accounts, personal documents and files, and possibly your other devices – especially if you reuse passwords across different sites.
It's no surprise we do reuse them, given the number of sites requiring a login with a password. More than half – 60 percent -- of 3,000 adults surveyed by Google and Harris Poll said they have too many passwords to remember. And 65 percent of respondents to the survey, released in early 2019, said they reuse the same passwords for multiple accounts.
Even using a slight variation on the same password may not make it harder for hackers, and they may be counting on us to take the easy way out. Reusing passwords, even with slight variations, is like moving your house key from under the doormat to under a flower pot: it may not be secure enough.
If a hacker can access your personal data, they may be able to steal your money – or your identity. If you're a business owner, cyber criminals can sneak into your data and access client and customer information.
So where do you start? Here are some suggestions for creating and storing passwords:
Creating a strong password
Make it unique.
Use a different password for every important online account you have, such as bank accounts, credit card, and emails. If you can, use a different password for every single account. One way to make it easy to keep track of each password is to use the first letter of the channel or website to begin the password, or something similar so you can easily relate it to each account.
Make it longer.
Longer passwords are stronger and much harder for hackers to guess. Use a 'passphrase' you would remember that no one else would. It could be a string of seemingly random words with numbers and symbols, like oneDay2WeCan$G0totheM00n. Aim for at least 16 characters.
Avoid personal information and common words.
As you create longer passwords, remember to avoid using personal information like nicknames, names of children or pets, birthdays, or address information. Also avoid common words such as 'letmein' or 'password,' and avoid keyboard patterns like 'qwerty.'
Make it complex.
Including upper and lowercase letters, special characters, and numbers are all ways you can make your passwords more complex and harder to guess or hack. Avoid using words that could be found in a dictionary. You can try breaking up a word with a special character or string of numbers. Put your symbols and numbers throughout the password and not just at the beginning or end.
Use a password generator.
A password generator can help you create a truly random character combination. There are a number of password generators online. Some are web-based and some need to be downloaded.
Consider using two-factor authentication when possible.
Many accounts and applications now offer two-factor authentication. This means you take another step to log in, such as enter a code sent by text to your phone, or you may use your fingerprint. Some other accounts require two-factor authentication if you are connecting from a new device or resetting a password. Consider enabling it when you can. It is an extra step to log in, but it can add an extra layer of security to your accounts.
Storing passwords
Now that you've conquered creating a secure and strong password, you've just got to remember it (along with all the others)! Mentally keeping track of each password can be difficult, here are a couple ways you can make it easier while keeping your passwords secure:
Use a password manager.
In the Google survey, only 24 percent of respondents said they use a password manager, despite many respondents saying they need a better way to track passwords. You can download a password manager for free or pay for a more robust option. Most password managers use encryption to store your data and can sync across all of your devices. They may also come with password generators. Most managers generally require you to simply remember one password: the one you need to get into the manager account.
Let your device, browser, or app remember.
Your mobile device may have the ability to auto-fill some passwords and come up with unique strong passwords once you use your fingerprint or a face scan to unlock that capability. In addition, some apps have a 'remember me' function, requiring you to sign in with a username and password once, then using your fingerprint or face scan to sign you in afterward. The key here is to have a strong overall password or passcode on your device. For example, automating passwords might not be a good idea if your passcode is something easy to guess, like '1234.'
Lock it up.
If you do need to write your passwords down, don't create a document on your computer or leave a physical piece of paper near your desk. Instead, store a piece of paper in a secret place or lock box.
We all juggle multiple passwords each day, and sometimes struggle with forgetting them. But taking a few moments to create strong passwords storing them as securely as possible can help make your personal information more secure.